Key Derivation Method and Apparatus

1. A key derivation method, comprising: acquiring, by a first network slice to which a user equipment (UE) is currently attached, a slice identifier corresponding to the first network slice, wherein the slice identifier uniquely identifies the first network slice; and transmitting, by the first network slice, the slice identifier to a designated communication device, wherein the slice identifier is configured to instruct the designated communication device to derive, according to the slice identifier, an intermediate key required by the first network slice; wherein the transmitting the slice identifier to a designated communication device comprises: transmitting a first authentication request to the designated communication device, wherein the first authentication request carries the slice identifier and a service network identifier; wherein the intermediate key is derived according to the slice identifier and the service network identifier by using a key generation function (KDF) which is a function of the slice identifier, the service network identifier, a key sequence number (SQN) ⊕ an anonymous key (AK), an encryption key (CK) and an integrity protection key (IK); wherein the AK is derived from, according to a key derivation algorithm f 5 , a root key and a random number and used to hide the SQN, ⊕ is an XOR algorithm, and the CK and the IK are both derived from the root key.

2. The method according to claim 1 , wherein the designated communication device comprises at least one of: a user data center and a user authentication center.

3. The method according to claim 2 , further comprising: receiving response information for the first authentication request, wherein the response information carries a security authentication vector; and transmitting a second authentication request to the UE according to the security authentication vector, wherein the UE derives the intermediate key according to the second authentication request.

4. The method according to claim 1 , further comprising: in response to determining that the UE needs to be handed over from the first network slice to a second network slice, receiving an attach request message transmitted by an access network (AN), wherein the attach request message carries a service identifier; determining whether a service range of the second network slice comprises a service corresponding to the service identifier; and in response to determining that the service range of the second network slice comprises the service corresponding to the service identifier, transmitting the slice identifier of the second network slice to the designated communication device.

5. The method according to claim 4 , wherein the slice identifier of the second network slice comprises at least one of: identifier information of the second network slice and temporary identifier information allocated by the second network slice to the UE.

6. The method of claim 1 , wherein the slice identifier comprises at least one of: identifier information of the first network slice and temporary identifier information allocated by the first network slice to the UE.

7. A key derivation method, comprising: receiving a slice identifier transmitted by a network slice, wherein the slice identifier uniquely identifies the network slice; and deriving an intermediate key required by the network slice according to the slice identifier; wherein the receiving a slice identifier transmitted by a network slice comprises: receiving an authentication request transmitted by the network slice, wherein the authentication request carries the slice identifier and a service network identifier; wherein the intermediate key is derived according to the slice identifier and the service network identifier by using a key generation function (KDF) which is a function of the slice identifier, the service network identifier, a key sequence number (SQN) ⊕ an anonymous key (AK), an encryption key (CK) and an integrity protection key ( 1 K); wherein the AK is derived from, according to a key derivation algorithm f 5 , a root key and a random number and used to hide the SQN, ⊕ is an XOR algorithm, and the CK and the IK are both derived from the root key.

8. The method according to claim 7 , wherein the slice identifier comprises at least one of: identifier information of the network slice and temporary identifier information allocated by the network slice to a user equipment (UE).

9. The method according to claim 7 , wherein the slice identifier comprises at least one of: identifier information of the network slice and temporary identifier information allocated by the network slice to a user equipment (UE).

10. A key derivation device, comprising: a processor; and a memory, configured to store instructions executable by the processor; wherein the processor is configured to acquire a slice identifier corresponding to a first network slice to which a user equipment (UE) is currently attached, and transmit the slice identifier to a designated communication device, wherein the slice identifier uniquely identifies the first network slice, and the slice identifier is configured to instruct the designated communication device to derive, according to the slice identifier, an intermediate key required by the first network slice; wherein the processor is configured to transmit a first authentication request to the designated communication device, wherein the first authentication request carries the slice identifier and a service network identifier; wherein the intermediate key is derived according to the slice identifier and the service network identifier by using a key generation function (KDF) which is a function of the slice identifier, the service network identifier, a key sequence number (SQN) ⊕ an anonymous key (AK), an encryption key (CK) and an integrity protection key ( 1 K); wherein the AK is derived from, according to a key derivation algorithm f 5 , a root key and a random number and used to hide the SQN, ⊕ is an XOR algorithm, and the CK and the IK are both derived from the root key.

11. The key derivation device according to claim 10 , wherein the designated communication device comprises at least one of: a user data center and a user authentication center.

12. The key derivation device according to claim 11 , wherein the processor is further configured to: receive response information for the first authentication request, wherein the response information carries a security authentication vector; and transmit a second authentication request to the UE according to the security authentication vector, wherein the second authentication request carries the slice identifier, wherein the UE derives the intermediate key according to the second authentication request.

13. The key derivation device according to claim 10 , wherein the processor is further configured to: in response to determining that the UE needs to be handed over from the first network slice to a second network slice, receive an attach request message transmitted by an access network (AN), wherein the attach request message carries a service identifier; determine whether a service range of the second network slice comprises a service corresponding to the service identifier; and in response to determining that the service range of the second network slice comprises the service corresponding to the service identifier, transmit the slice identifier of the second network slice to the designated communication device.

14. The key derivation device according to claim 13 , wherein the slice identifier of the second network slice comprises at least one of: identifier information of the second network slice and temporary identifier information allocated by the second network slice to the UE.

15. The key derivation device according to claim 10 , wherein the slice identifier comprises at least one of: identifier information of the first network slice and temporary identifier information allocated by the first network slice to the UE.